Diffstat (limited to 'doc/html/_sources/admin/conf_files')
3 files changed, 92 insertions, 24 deletions
diff --git a/doc/html/_sources/admin/conf_files/kadm5_acl.txt b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
index d23fb8a5789e..290bf0e037a7 100644
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
*/root@ATHENA.MIT.EDU l * # line 5
sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1). He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2). His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
or change the password of their null instance, but not any other
@@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target
(line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`. The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.txt b/doc/html/_sources/admin/conf_files/kdc_conf.txt
index 13077ecf4bc2..3af1c3796e6b 100644
@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
(String.) Location of the access control list file that
:ref:`kadmind(8)` uses to determine which principals are allowed
- which permissions on the Kerberos database. The default value is
- |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL
- file see :ref:`kadm5.acl(5)`.
+ which permissions on the Kerberos database. To operate without an
+ ACL file, set this relation to the empty string with ``acl_file =
+ ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more
+ information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
(String.) This relation indicates the name of the configuration
@@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection:
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.
+ (String.) Specifies the authentication indicator value that the KDC
+ asserts into tickets obtained using FAST encrypted challenge
+ pre-authentication. New in 1.16.
(Whitespace- or comma-separated list.) Lists services which will
get host-based referral processing even if the server principal is
@@ -765,9 +771,6 @@ For information about the syntax of some of these options, see
pkinit is used to authenticate. This option may be specified
multiple times. (New in release 1.14.)
- Specifies the location of the KDC's OCSP.
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client's
@@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
des3 The triple DES family: des3-cbc-sha1
-aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
rc4 The RC4 family: arcfour-hmac
camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.txt b/doc/html/_sources/admin/conf_files/krb5_conf.txt
index 653aad613cbc..4ed9832c7b17 100644
@@ -55,9 +55,10 @@ following directives at the beginning of a line::
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Starting in release
-1.15, files with names ending in ".conf" are also included. Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".". Included profile files are syntactically
+independent of their parents, so each included file must begin with a
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
@@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations:
the local user or by root.
- On OS X only, determines the name of the bootstrap service used to
+ On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type. If the
value is ``-``, Mach RPC will not be used to contact the KCM
daemon. The default value is ``org.h5l.kcm``.
@@ -744,6 +745,10 @@ disabled with the disable tag):
Uses the service realm to guess an appropriate cache from the
+ If the service principal is host-based, uses the service hostname
+ to guess an appropriate cache from the collection
@@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
with another database such as Active Directory. No plugins are built
in for this interface.
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation. The
+following built-in modules exist for this interface:
+ This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+ operations which are allowed according to the rules in the file.
+ This module authorizes self-service operations including password
+ changes, creation of new random keys, fetching the client's
+ principal record or string attributes, and fetching the policy
+ record associated with the client principal.
@@ -858,6 +883,32 @@ built-in modules exist for this interface:
This module authorizes a principal to a local account if the
principal name maps to the local account name.
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT. The
+following built-in modules exist for this interface:
+ This module authorizes the certificate if it contains a PKINIT
+ Subject Alternative Name for the requested client principal, or a
+ Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
+ is set to true for the realm.
+ This module rejects the certificate if it does not contain an
+ Extended Key Usage attribute consistent with the
+ **pkinit_eku_checking** value for the realm.
+ This module authorizes or rejects the certificate according to
+ whether it matches the **pkinit_cert_match** string attribute on
+ the client principal, if that attribute is present.